Elfin (aka APT33), a hacker group affiliated with the Iranian government, is described by Symantec as “one of the most active groups currently operating in the Middle East.” They have been linked with a string of attacks on U.S. and Saudi Arabian companies, particularly in the aerospace and energy sectors.

However, where previously the group mainly conducted data destruction-based attacks, Symantec is now reporting that Elfin has switched its modus operandi to focus on spear phishing and known vulnerabilities in common software. The group’s targets remain largely the same, but their goals seem to have changed.

Instead of using wipers, Symantec reports that the group’s recent attacks are aimed at data exfiltration using vulnerabilities in a common piece of software. “The main point of entry in recent attacks has been spear-phishing emails capable of delivering malware to the recipient’s computer,” says Dick O’Brien, researcher at Symantec's Security Response. “The group has also attempted to exploit the recently patched WinRAR vulnerability attacks.”

After sending phishing emails to targeted companies, the victim is encouraged to download a file, JobDetails.rar, which then tries to exploit vulnerability CVE-2018-20250 in WinRAR. A successful infection on an unpatched system allows an attacker to install any file on the computer.

What is Elfin and what do they want?

According to FireEye, Elfin/APT33 has been around since roughly 2013 but rose to prominence in late 2016 after using targeted phishing attacks and domain-spoofing to deliver the Shamoon wiper malware. The group has been tied to Iran, given the targeting of Saudi and U.S. companies and the fact the group leverages hacker tools and DNS servers used by other suspected Iranian threat groups, including Shamoon, StoneDrill, Dropshot, Turnedup and others. FireEye has noted that APT33’s activities suggests that they were operating in a time zone that coincides with Iran’s Daylight Time

“Based on its tactics and targets, our assessment is that Elfin is a state-sponsored espionage group,” says O’Brien. “Given the nature of the group and its targets, we can only speculate that the information in question is likely to be of a strategic or economic interest to Elfin’s sponsors.”

“Your organization needs to adopt a multi-layered approach to security to best ensure that any point of failure is mitigated by other defensive practices,” says O’Brien. “This should include not only regularly patching vulnerabilities, but also employing multiple, overlapping, and mutually supportive defensive systems to guard against single point failures in any specific technology or protection method.”

The group generally focuses on aerospace [both defense and commercial] and energy companies located in the U.S. — of which 18 have been attacked over the past three years — Saudi Arabia and South Korea. It has also hit engineering, chemical, research and healthcare organizations in countries across Europe and MENA.

Traditionally, the group scans for vulnerable websites and to identify potential targets, either for attacks or creation of command and control (C&C) infrastructure. Malware associated with the group include Shamoon 2.0 and StoneDrill, both of which are generally used in data destruction/wiper attacks.

Elfin moves on from Shamoon

Elfin has long been linked Shamoon, which was first used to conduct a sabotage attack on Saudi Aramco in 2012 but has been regularly used by Iran-linked APTs since 2016. While the group is not thought to be the creators of Shamoon, it is responsible for an uptick in its use using a modified version, sometimes known at Shamoon 2.0, since 2016. Italian oil services firm Saipem (of which Saudi Aramco is a customer) was hit with a Shamoon attack in December 2018 that Symantec had linked to Elfin.

The group has previously registered domains impersonating many companies in its targeted industries including Boeing, Alsalam Aircraft Company, Northrop Grumman and Vinnell, and featured recruitment-themed lures.

“Elfin was first linked to Shamoon when a Shamoon victim in Saudi Arabia was also attacked by Elfin, and infected with the Stonedrill malware,” says O’Brien. “Because the Elfin and the Shamoon attacks occurred so close to each other, there has been speculation that the two groups may be linked.”

More groups likely to use the WinRAR exploit

The Elfin group is not the only one looking to take advantage of WinRAR. Though a patch for the CVE-2018-20250 vulnerability — originally discovered by Checkpoint — has been issued, the software does not contain an auto-update feature. FireEye is reporting multiple campaigns underway exploiting the vulnerability. The security firm predicts more in the future due to the software’s popularity and the fact many will likely be running older version.

“While this vulnerability has been fixed in the latest version of WinRAR (5.70), WinRAR itself does not contain auto-update features, increasing the likelihood that many existing users remain running out-of-date versions,” FireEye Researcher Dileep Kumar Jallepalli explains in a blog post. “Because of the huge WinRAR customer-base, lack of auto-update feature and the ease of exploitation of this vulnerability, we believe this will be used by more threat actors in the upcoming days.”